Colin,
If you've disabled smtp and don't have fetchmail running, there is no way for James to be receiving emails to relay. What logs show the spam, and have you checked netstat to see where they are connecting, and then what program those connections are hitting?
-- Serge Knystautas Lokitech >> software . strategy . design >> http://www.lokitech.com p. 301.656.5501 e. [EMAIL PROTECTED]
Colin W. Kingsbury wrote:
Hi All,
We are using the James 2.2.0 server on a Red Hat box and are having very grave problems with what appears at a distance to be spam being relayed through our system.
What makes this very strange is that the logs indicate that the spam is being relayed from our own IP address, though the machine itself is quite strictly controlled and it is impossible that this is being done by an "authorized" user.
The server attempts to deliver this mail even when we disable SMTP and run james as a POP3 server only. We have confirmed that when we shut the James process down completely and run Sendmail SMTP only that the mail stops, and does not start again. So there is clearly some connection to Jame. However, we currently have some custom code developed for James so we have no choice but to run it. This also despite the fact that we have followed the instructions to disallow relaying except from IP addresses we know and control.
Approximately 10 minutes ago, I shut james down, cleaned out the ougtoing/ directory and restarted. Now it is starting to fill up again and I am watching the java CPU usage climb like a thermometer. Eventually it will max out and then our own email won't make it out.
I would like to know what is recommended for the config.xml to create a "maximum security" configuration. We only need to allow relaying from a local client (specifically php webmail using NOCC) and from one other known IP address.
Also, if there are any recommended patches beyond what are contained in the basic 2.2.0 download on apache.org please say so. Want to make sure we are running the latest and greatest.
I am becoming concerned that there is some kind of backdoor in James that is being exploited for these purposes. This is a situation we cannot tolerate very long. If there is anyone out there who is truly familiar with James and offers commercial support, we would like to hear from you. We need to resolve this problem very quickly, or we will need to undertake a crash replacement program which we'd rather avoid.
Thanks, -cwk.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
